Implement and maintain compliance with SOC 2, HIPAA, PCI-DSS, and GDPR using unified control mapping, policy-as-code enforcement, and automated evidence collection. Use when building systems requiring regulatory compliance, implementing security controls across multiple frameworks, or automating audit preparation.
apm install @ancoleman/implementing-compliance
[](https://apm-p1ls2dz87-atlamors-projects.vercel.app/packages/@ancoleman/implementing-compliance)---
name: implementing-compliance
description: Implement and maintain compliance with SOC 2, HIPAA, PCI-DSS, and GDPR using unified control mapping, policy-as-code enforcement, and automated evidence collection. Use when building systems requiring regulatory compliance, implementing security controls across multiple frameworks, or automating audit preparation.
---
# Compliance Frameworks
Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection.
## Purpose
Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.
## When to Use
Invoke when:
- Building SaaS products requiring SOC 2 Type II for enterprise sales
- Handling healthcare data (PHI) requiring HIPAA compliance
- Processing payment cards requiring PCI-DSS validation
- Serving EU residents and processing personal data under GDPR
- Implementing security controls that satisfy multiple compliance frameworks
- Automating compliance evidence collection and audit preparation
- Enforcing compliance policies in CI/CD pipelines
## Framework Selection
### Tier 1: Trust & Security Certifications
**SOC 2 Type II**
- Audience: SaaS vendors, cloud service providers
- When required: Enterprise B2B sales, handling customer data
- Timeline: 6-12 month observation period
- 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure
**ISO 27001**
- Audience: Global enterprises
- When required: International business, government contracts
- Timeline: 3-6 month certification, annual surveillance
### Tier 2: Industry-Specific Regulations
**HIPAA (Healthcare)**
- Audience: Healthcare providers, health tech handling PHI
- When required: Processing Protected Health Information
- 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments
**PCI-DSS 4.0 (Payment Card Industry)**
- Audience: Merchants, payment processors
- When required: Processing, storing, transmitting cardholder data
- Effective: April 1, 2025 (mandatory)
- Key changes: Client-side security, 12-char passwords, enhanced MFA
### Tier 3: Privacy Regulations
**GDPR (EU Privacy)**
- Audience: Organizations processing EU residents' data
- When required: EU customers/users (extraterritorial)
- 2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency
**CCPA/CPRA (California Privacy)**
- Audience: Businesses serving California residents
- When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales
For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md.
## Universal Control Implementation
### Unified Control Strategy
Implement controls once, map to multiple frameworks. Reduces effort by 60-80%.
**Implementation Priority:**
1. **Encryption** (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit
2. **Access Control** (MFA-001, RBAC-001): MFA, RBAC, least privilege
3. **Audit Logging** (LOG-001): Centralized, immutable, 7-year retention
4. **Monitoring** (MON-001): SIEM, intrusion detection, alerting
5. **Incident Response** (IR-001): Detection, escalation, breach notification
### Control Categories
**Identity & Access:**
- Multi-factor authentication for privileged access
- Role-based access control with least privilege
- Quarterly access reviews
- Password policy: 12+ characters, complexity
**Data Protection:**
- Encryption: AES-256 (rest), TLS 1.3 (transit)
- Data classification and tagging
- Retention policies aligned with regulations
- Data minimization
**Logging & Monitoring:**
- Centralized audit logging (all auth and data access)
- 7-year retention (satisfies all frameworks)
- Immutable storage (S3 Object Lock)
- Real-time alerting
**Network Security:**
- Network segmentation and VPC isolation
- Firewalls with deny-by-default
- Intrusion detection/prevention
- Regular vulnerability scanning
**Incident Response:**
- Documented incident response plan
- Automated detection and alerting
- Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate
**Business Continuity:**
- Automated backups with defined RPO/RTO
- Multi-region disaster recovery
- Regular failover testing
For complete control implementations, see references/control-mapping-matrix.md.
## Compliance as Code
### Policy Enforcement with OPA
Enforce compliance policies in CI/CD before infrastructure deployment.
**Architecture:**
```
Git Push → Terraform Plan → JSON → OPA Evaluation
├─► Pass → Deploy
└─► Fail → Block
```
**Example: Encryption Policy**
Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4):
See examples/opa-policies/encryption.rego for complete implementation.
**CI/CD Integration:**
```bash
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny'
```
For complete CI/CD patterns, see references/cicd-integration.md.
### Static Analysis with Checkov
Scan IaC with built-in compliance framework support:
```bash
checkov -d ./terraform \
--check SOC2 --check HIPAA --check PCI --check GDPR \
--output cli --output json
```
Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples.
### Automated Testing
Integrate compliance validation into test suites:
```python
def test_s3_encrypted(terraform_plan):
"""SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)"""
buckets = get_resources(terraform_plan, "aws_s3_bucket")
encrypted = get_encryption_configs(terraform_plan)
assert all_buckets_encrypted(buckets, encrypted)
def test_opa_policies():
result = subprocess.run(["opa", "eval", "--data", "policies/",
"--input", "tfplan.json", "data.compliance.main.deny"])
assert not json.loads(result.stdout)
```
For complete test patterns, see references/compliance-testing.md.
## Technical Control Implementations
### Encryption at Rest
**Standards:** AES-256, managed KMS, automatic rotation
**AWS Example:**
```hcl
resource "aws_kms_key" "data" {
enable_key_rotation = true
tags = { Compliance = "ENC-001" }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
bucket = aws_s3_bucket.data.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.data.arn
}
}
}
resource "aws_db_instance" "main" {
storage_encrypted = true
kms_key_id = aws_kms_key.data.arn
}
```
For complete encryption implementations including Azure and GCP, see references/encryption-implementations.md.
### Encryption in Transit
**Standards:** TLS 1.3 (TLS 1.2 minimum), strong ciphers, HSTS
**ALB Example:**
```hcl
resource "aws_lb_listener" "https" {
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
```
### Multi-Factor Authentication
**Standards:** TOTP, hardware tokens, biometric for privileged access
**AWS IAM Enforcement:**
```hcl
resource "aws_iam_policy" "require_mfa" {
policy = jsonencode({
Statement = [{
Effect = "Deny"
NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"]
Resource = "*"
Condition = {
BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" }
}
}]
})
}
```
For application-level MFA (TOTP), see examples/mfa-implementation.py.
### Role-Based Access Control
**Standards:** Least privilege, job function-based roles, quarterly reviews
**Kubernetes Example:**
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: development
rules:
- apiGroups: ["", "apps"]
resources: ["pods", "deployments", "services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"] # Read-only
```
For complete RBAC patterns including AWS IAM and OPA policies, see references/access-control-patterns.md.
### Audit Logging
**Standards:** Structured JSON, 7-year retention, immutable storage
**Required Events:** Authentication, authorization, data access, administrative actions, security events
**Python Example:**
```python
class AuditLogger:
def log_event(self, event_type, user_id, resource_type,
resource_id, action, result, ip_address):
audit_event = {
"timestamp": datetime.utcnow().isoformat() + "Z",
"event_type": event_type.value,
"user_id": user_id,
"action": action,
"result": result,
"resource": {"type": resource_type, "id": resource_id},
"source": {"ip": ip_address}
}
self.logger.info(json.dumps(audit_event))
```
**Log Retention:**
```hcl
resource "aws_cloudwatch_log_group" "audit" {
retention_in_days = 2555 # 7 years
kms_key_id = aws_kms_key.logs.arn
}
resource "aws_s3_bucket_object_lock_configuration" "audit" {
bucket = aws_s3_bucket.audit_logs.id
rule {
default_retention { mode = "COMPLIANCE"; years = 7 }
}
}
```
For complete audit logging patterns including HIPAA PHI access logging, see references/audit-logging-patterns.md.
## Evidence Collection Automation
### Continuous Monitoring
Automate evidence collection for continuous compliance validation.
**Architecture:**
```
AWS Config → EventBridge → Lambda → S3 (Evidence)
→ DynamoDB (Status)
```
**Evidence Collection:**
```python
class EvidenceCollector:
def collect_encryption_evidence(self):
evidence = {
"control_id": "ENC-001",
"frameworks": ["SOC2-CC6.1", "HIPAA-164.312(a)(2)(iv)"],
"timestamp": datetime.utcnow().isoformat(),
"status": "PASS",
"findings": []
}
# Check S3, RDS, EBS encryption status
# Document findings
return evidence
```
For complete evidence collector, see examples/evidence-collection/evidence_collector.py.
### Audit Report Generation
Generate compliance reports automatically:
```python
class AuditReportGenerator:
def generate_soc2_report(self, start_date, end_date):
controls = self.get_control_status("SOC2")
return {
"framework": "SOC 2 Type II",
"compliance_score": self.calculate_score(controls),
"trust_services_criteria": {...},
"controls": self.format_controls(controls)
}
```
For complete report generator, see examples/evidence-collection/report_generator.py.
## Control Mapping Matrix
Unified control mapping across frameworks:
| Control | SOC 2 | HIPAA | PCI-DSS | GDPR | ISO 27001 |
|---------|-------|-------|---------|------|-----------|
| MFA | CC6.1 | §164.312(d) | Req 8.3 | Art 32 | A.9.4.2 |
| Encryption at Rest | CC6.1 | §164.312(a)(2)(iv) | Req 3.4 | Art 32 | A.10.1.1 |
| Encryption in Transit | CC6.1 | §164.312(e)(1) | Req 4.1 | Art 32 | A.13.1.1 |
| Audit Logging | CC7.2 | §164.312(b) | Req 10.2 | Art 30 | A.12.4.1 |
| Access Reviews | CC6.1 | §164.308(a)(3)(ii)(C) | Req 8.2.4 | Art 32 | A.9.2.5 |
| Vulnerability Scanning | CC7.1 | §164.308(a)(8) | Req 11.2 | Art 32 | A.12.6.1 |
| Incident Response | CC7.3 | §164.308(a)(6) | Req 12.10 | Art 33 | A.16.1.1 |
**Strategy:** Implement once with proper tagging, map to all applicable frameworks.
For complete control mapping with 45+ controls, see references/control-mapping-matrix.md.
## Breach Notification Requirements
**Framework-Specific Timelines:**
- HIPAA: 60 days to HHS and affected individuals
- GDPR: 48 hours to supervisory authority (2025 update)
- SOC 2: 72 hours to affected customers
- PCI-DSS: Immediate to payment brands
**Required Elements:**
- Description of incident and data involved
- Estimated number of affected individuals
- Steps taken to mitigate harm
- Contact information for questions
- Remediation actions and timeline
For incident response templates, see references/incident-response-templates.md.
## Vendor Management
**Business Associate Agreements (HIPAA):**
- Required for all vendors handling PHI
- Specify permitted uses and disclosures
- Require appropriate safeguards
- Annual review and renewal
**Data Processing Agreements (GDPR):**
- Required for all vendors processing personal data
- Process only on controller instructions
- Implement appropriate technical measures
- Sub-processor approval required
**Assessment Process:**
1. Risk classification by data access level
2. Security questionnaire evaluation
3. BAA/DPA execution
4. SOC 2 report collection (≤90 days old)
5. Annual re-assessment
For vendor management templates, see references/vendor-management.md.
## Tools & Libraries
**Policy as Code:**
- Open Policy Agent (OPA): General-purpose policy engine
- Checkov: IaC security scanning with compliance frameworks
- tfsec: Terraform security scanner
- Trivy: Container and IaC scanner
**Compliance Automation:**
- AWS Config: AWS resource compliance monitoring
- Cloud Custodian: Multi-cloud compliance automation
- Drata/Vanta/Secureframe: Continuous compliance platforms
For tool selection guidance, see references/tool-recommendations.md.
## Integration with Other Skills
**Related Skills:**
- `security-hardening`: Technical security control implementation
- `secret-management`: Secrets handling per HIPAA/PCI-DSS
- `infrastructure-as-code`: IaC implementing compliance controls
- `kubernetes-operations`: K8s RBAC, network policies
- `building-ci-pipelines`: Policy enforcement in CI/CD
- `siem-logging`: Audit logging and monitoring
- `incident-management`: Incident response procedures
## Quick Reference
**Implementation Checklist:**
- [ ] Identify applicable frameworks
- [ ] Implement encryption (AES-256, TLS 1.3)
- [ ] Configure MFA for privileged access
- [ ] Implement RBAC with least privilege
- [ ] Set up audit logging (7-year retention)
- [ ] Configure security monitoring/alerting
- [ ] Create incident response plan
- [ ] Execute vendor agreements (BAAs, DPAs)
- [ ] Implement policy-as-code (OPA, Checkov)
- [ ] Automate evidence collection
- [ ] Conduct quarterly access reviews
- [ ] Perform annual risk assessments
**Common Mistakes:**
- Treating compliance as one-time project vs continuous process
- Implementing per-framework vs unified controls
- Manual evidence collection vs automation
- Insufficient log retention (<7 years)
- Missing MFA enforcement
- Not encrypting backups/logs
- Inadequate vendor due diligence
## References
**Framework Details:**
- references/soc2-controls.md - SOC 2 TSC control catalog
- references/hipaa-safeguards.md - HIPAA safeguards
- references/pci-dss-requirements.md - PCI-DSS 4.0 requirements
- references/gdpr-articles.md - GDPR key articles
**Implementation Patterns:**
- references/control-mapping-matrix.md - Unified control mapping
- references/encryption-implementations.md - Encryption patterns
- references/access-control-patterns.md - MFA, RBAC implementations
- references/audit-logging-patterns.md - Logging requirements
- references/incident-response-templates.md - IR procedures
**Automation:**
- references/cicd-integration.md - OPA/Checkov CI/CD integration
- references/compliance-testing.md - Automated test patterns
- references/vendor-management.md - Vendor assessment templates
- references/tool-recommendations.md - Tool selection guide
**Code Examples:**
- examples/opa-policies/ - OPA policy examples
- examples/terraform/ - Terraform control implementations
- examples/evidence-collection/ - Evidence automation
- examples/mfa-implementation.py - TOTP MFA implementation
Consult qualified legal counsel and auditors for legal interpretation and audit preparation.